A blog for the enterprise open source community
GPLv2 decline and debate on open source licensesJay Lyman, August 27, 2009 @ 1:00 pm ET
Code scanning and management vendor Black Duck reports the GNU General Public License v2 (GPLv2) now dipping below 50% share of open source software. While we already knew that GPLv2 was somewhat in decline from its far greater share of open source code over the last 5-10 years, it is useful to know what pool of code we’re talking about. We must also remember that while GPLv2 may not be as dominant as it once was and that other licenses, particularly GPLv3, are quickly gaining share, GPLv2 is still quite relevant to enterprise open source software, is used in a variety of newer and popular applications across the enterprise stack and is likely to remain in the top 10 licenses for a long time.
Regarding GPLv2 and Black Duck’s findings, some folks are rightly asking what code and how much of it are we considering where GPLv2 accounts for half or less of the software? Well, the short answer is, I believe, hosted open source code. Black Duck draws its figures from open source software in its Software Knowledgebase, which draws on other repositories and includes more than 185,000 software projects.
For our recent report, The Myth of Open Source License Proliferation, we thought it would be useful to look at open source license representation in another cross-section of software that was more reflective of code in use. Thus, with the help of Airius Internet Solutions, we considered the open source licenses of software that was the subject of vulnerability reporting (arguably, a decent measure of the software’s use). What we found, somewhat surprisingly, was that the list of most popular open source licenses among hosted open source software was very consistent with the list of most popular open source licenses among open source software in use. Both lists have the GPLv2, GPLv3, Artistic, BSD and Apache licenses in their top six, albeit in somewhat different orders. The percentages for different licenses, however, were quite different, giving more share to other licenses further down the list in the case of software in use.
At the time of our report, May 2009, the GPLv2 license accounted for 50.49% of all projects documented in Black Duck’s Software Knowledgebase, which is more than 185,000 projects. During the same time frame, Airius reported that the GPLv2 license accounted for 36.34% of software subject to vulnerability reporting and the Airius Risk Report, which consists of more than 139,000 projects reviewed. GPLv2 still tops both lists for now, but it is clear that GPLv3 is rising fast. Black Duck reported in June that GPLv3 had moved past the Mozilla, MIT and Apache licenses to the fifth spot on its list with 5.10%, behind BSD. Our research with Airius indicated that GPLv3 was number two on the list of projects reviewed with 18.5% as of June 15, 2009. This reinforces the idea that GPLv2 is being used less while GPLv3 is gaining more use. Nevertheless, it is important to remember GPLv2 is still being used in many projects and products beyond Linux and MySQL (which are, nevertheless, among prominent uses of the GPLv2). Examples range from applications such as Jaspersoft BI to systems management software such as Likewise, to cloud computing pieces such as the Puppet server automation software.
We’ll be delving into these and related issues with a lively, live debate on OSS licenses coming this Monday, August 31. We’ll have Matt Asay argue for GPL, Eclipse Foundation’s Mike Milinkovich pull for EPL and Coverity’s David Maxwell for the BSD as they spar over which license is best. The audience and a panel including yours truly will judge who wins, and we’ll post our thoughts here and elsewhere for others to weigh in as well. Please join the discussion and the debate.
Comments (11) Categories: Software